Screened Subnet Architecture

This setup provides an extra security layer to screened host architecture by creating a perimeter subnet which further isolates internal network from the Internet.In this architecture two screening routers and a single screening host is used. Both routers are connected to create the perimeter subnet also called Demilitarized Zone (DMZ). Screening host sits in this subnet between two routers. One router is facing the Internet and other is facing local network. Now to break into the internal network an attacker has to pass through both the routers. Even if it breaks through screening host it still has to pass through the internal router. The DMZ could also contain all information servers, modem pools and other systems that require careful controlled access.

Advantages

• Provides maximum depth of defense• Local network can provide services to outside without compromising to inside• Much flexible than previous solutions

Disadvantages

• Costly as compared to other architectures• Much complex and requires very careful configuration between guarding machines